Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny

In a recent post recapping our webinar on rising SOX compliance costs, we cited increased external auditor scrutiny of “information produced by entity” (IPE), or electronic audit evidence, as contributing significantly to the increase in costs, with the testing and validation of IPE requiring almost twice the eight-hour average time required to test other internal controls.

External auditors of public companies have come under increasing pressure from the Public Company Accounting Oversight Board (PCAOB). One area of particular emphasis has been the reliance of external auditors on IPE, and the need for increased rigor to ensure that the information is accurate and reliable.

IPE is the raw material from which external audits are crafted. It is, therefore, critical for organizations to be able to “show their work” in a way that can easily be verified and validated. This applies both to the integrity of the data itself and the processes underlying the generation of reports that control owners rely upon when executing an internal control. Under PCAOB standards, an external auditor should rely on an entity-produced report or spreadsheet only if there is sufficient evidence to prove that the information within the IPE document is both accurate and complete.

In my own field experience, it’s not unusual to encounter anywhere from 100 to 150 process-level controls. Because of the precision required by external auditors to meet the PCAOB standards, each of these controls might require 12 to 14 hours to test.

Overall, one in five public companies tests IPE every time a control is tested. Again, while respondents to our survey reported a decrease in the number of controls tested, the amount of effort being spent on the controls they do test has increased, and IPE certainly is one of the big contributors to that.

In such an environment, it’s easy to see how automated controls might significantly reduce the time and effort required for verification, particularly in comparison with a traditional spreadsheet in which every formula is a potential point of failure.

A more robust information technology environment provides a more reliable control environment, so we expect to see automated controls lead to a lot more efficiencies and eliminate human errors associated with manual entries into spreadsheets.

Not surprisingly, we’ve noticed that large accelerated and accelerated filers — entities that have adopted automated controls and reporting out of necessity and therefore tend to be more mature in their control environment — are doing the best job of managing the increasingly granular and transparent reporting requirements.

But companies of all sizes are making progress in this area, and we expect to see that continue. Well over half of the organizations surveyed reported that they have at least moderate plans to continue to automate their controls in 2016. We certainly see this trend at our clients and anticipate seeing more as organizations evolve from newly-public into more established entities.

Bottom line: In the current audit environment, organizations are placing an increasing emphasis on quality over quantity of controls. We’re seeing controls getting stronger, and the rigor from external audit related to PCAOB pressure certainly has an impact on that. I also think that companies are reaping the benefits of these strong controls that they can rely on internally and are looking to reduce the amount of controls that they ultimately have to focus on. It is important in all this that companies have a solid rationale behind their testing approach and communicate with their external auditors early and often.